Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in figoliquinn Mobile Kiosk mobile-kiosk allows Stored XSS.This issue affects Mobile Kiosk: from n/a through <= 1.3.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in straightvisions GmbH SV Forms sv-forms allows DOM-Based XSS.This issue affects SV Forms: from n/a through <= 2.0.05.
An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser.
File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted image upload.
Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in RadiusTheme Portfolio – WordPress Portfolio plugin <= 2.8.10 versions.
An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user.
A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page (upgradeSession / forceUpgrade) if the "Upgrade session" plugin has been enabled by an admin
In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded.
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vadim Bogaiskov Bg Patriarchia BU bg-patriarchia-bu allows DOM-Based XSS.This issue affects Bg Patriarchia BU: from n/a through <= 2.2.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Santhosh veer Stylish Internal Links stylish-internal-links allows DOM-Based XSS.This issue affects Stylish Internal Links: from n/a through <= 1.9.
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions <= 8.1.11). Vulnerable parameters: &wpgmaps_marker_category_name, Value > &attributes[], Name > &attributes[], &icons[], &names[], &description, &link, &title.
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS.
Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files.
For an authenticated end-user the portal may run a script while attempting to display a directory or some file's properties.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hussam Hussien Popup Image popup-image allows Stored XSS.This issue affects Popup Image: from n/a through <= 1.0.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cool Plugins Web Stories Widgets For Elementor shortcodes-for-amp-web-stories-and-elementor-widget allows Stored XSS.This issue affects Web Stories Widgets For Elementor: from n/a through <= 1.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reyzua Topbar ID for Elementor topbar-id-for-elementor allows DOM-Based XSS.This issue affects Topbar ID for Elementor: from n/a through <= 1.0.1.
A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote Attacker to conduct a stored cross-site scripting (XSS) attack. Successful exploitation could enable a threat actor to perform any actions the user is authorized to do, including accessing the user's data and altering information within the user's permissions. This could lead to data modification, deletion, or theft, including unauthorized access to files, file deletion, or the theft of session cookies, which an attacker could use to hijack a user's session.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sistemasBebetter BeBetter Social Icons bebetter-social-icons allows DOM-Based XSS.This issue affects BeBetter Social Icons: from n/a through <= 2.7.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in strailejoey AchillesTheme-shortcodes achilles-shortcodes allows DOM-Based XSS.This issue affects AchillesTheme-shortcodes: from n/a through <= 0.1.
Blackboard Learn through 9.1 allows XSS by an authenticated user via the Assignment Instructions HTML editor.
An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BU Web Team BU Slideshow bu-slideshow allows Stored XSS.This issue affects BU Slideshow: from n/a through <= 2.3.10.
The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joan Boluda Embed documents shortcode embed-documents-shortcode allows Stored XSS.This issue affects Embed documents shortcode: from n/a through <= 1.5.
Authenticated end-user may set a specially crafted SNX bookmark that can make their browser run a script while accessing their own bookmark list.
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RobertoAlicata ra_qrcode ra-qrcode allows Stored XSS.This issue affects ra_qrcode: from n/a through <= 2.1.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Jégo Map Store Locator map-store-location allows DOM-Based XSS.This issue affects Map Store Locator: from n/a through <= 1.2.1.
A cross-site scripting (XSS) vulnerability in the component /graph_all_periods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter.
Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shazahanul Islam Shohag AzonBox azonbox allows DOM-Based XSS.This issue affects AzonBox: from n/a through <= 1.1.2.
Easytest bulletin board management function of online learning platform does not filter special characters. After obtaining a user’s privilege, remote attackers can inject JavaScript and execute stored XSS attack.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MartyThornley Photographer Connections photographer-connections allows Stored XSS.This issue affects Photographer Connections: from n/a through <= 1.3.1.
Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows DOM-Based XSS.This issue affects Responsive Addons for Elementor: from n/a through <= 1.5.4.
An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24698. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Movement Ventures Boombox Shortcode boombox-shortcode allows DOM-Based XSS.This issue affects Boombox Shortcode: from n/a through <= 1.0.0.
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes. This vulnerability is fixed in 2.0.0-beta.2.
The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeies Pvt Ltd Provide Forex Signals provide-forex-signals allows Stored XSS.This issue affects Provide Forex Signals: from n/a through <= 1.0.
Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.
An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Stored XSS.This issue affects WP Job Portal: from n/a through <= 2.2.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jandal Bitcoin Payments bitcoin-payments allows DOM-Based XSS.This issue affects Bitcoin Payments: from n/a through <= 1.4.2.