cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199).
cPanel before 66.0.2 allows stored XSS during WHM cPAddons installation (SEC-263).
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266).
cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197).
Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).
cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265).
cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282).
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code.
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
nZEDb v0.7.3.3 has XSS in the 404 error page.
cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336).
cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269).
Bose SoundTouch devices allow XSS via crafted song data from a music service, as demonstrated by Pandora.
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the edit_profile_first_name parameter to user/edit_profile.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137038.
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 contains an undisclosed vulnerability that would allow an authenticated user to obtain elevated privileges. IBM X-Force ID: 134919.
IBM DOORS Next Generation (DNG/RRC) 5.0, 5.0.1, 5.0.2, and 6.0 through 6.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137035.
ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page).
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134066.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134909.
IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134637.
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slider_edit.php edit_id parameter.
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php.
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134796.
IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134922.
Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet.
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137037.
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.
Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP-Link TL-SG108E 1.0.0 allows authenticated remote attackers to submit arbitrary java script via the 'sysName' parameter.