Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
A vulnerability in the web-based management interface of Cisco Integrated Management Controller Supervisor Software and Cisco UCS Director Software could allow an authenticated, remote attacker to conduct a Document Object Model-based (DOM-based), stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or allow the attacker to access sensitive browser-based information on the affected device. Cisco Bug IDs: CSCvh12994.
Cross-site scripting vulnerability in multiple FXC Inc. network devices (Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22, Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06, Managed Ethernet switch FXC5428 firmware prior to version Ver1.00.07, Power over Ethernet (PoE) switch FXC5210PE/5218PE/5224PE firmware prior to version Ver1.00.14, and Wireless LAN router AE1021/AE1021PE firmware all versions) allows attacker with administrator rights to inject arbitrary web script or HTML via the administrative page.
The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 218367.
In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter.
WolfCMS 0.8.3.1 has XSS via the /?/admin/page/add slug parameter.
Catfish CMS v4.7.9 allows XSS via the admin/Index/write.html editorValue parameter (aka an article posted by an administrator).
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/news.php has XSS.
ClipperCMS 1.3.3 has stored XSS via the Full Name field of (1) Security -> Manager Users or (2) Security -> Web Users.
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/system.php has XSS.
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/album.php has XSS.
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.
Wolf CMS 0.8.3.1 has XSS in the Snippets tab, as demonstrated by a ?/admin/snippet/edit/1 URI.
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/down.php has XSS.
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/slideshow.php has XSS.
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.
The Add page option in my little forum 2.4.12 allows XSS via the Menu Link field.
The Add page option in my little forum 2.4.12 allows XSS via the Title field.
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/product.php has XSS.
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.
ClipperCMS 1.3.3 has stored XSS via the "Tools -> Configuration" screen of the manager/ URI.
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log.
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Antivirus Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.
SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_config.php page (aka a system management page).
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6 is affected by a cross-site scripting vulnerability in the Network Configuration page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.
The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php.
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable.
D-Link DIR-615 T1 devices allow XSS via the Add User feature.
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45.
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.
joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request.
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable.
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
iScripts eSwap v2.4 has XSS via the "registration_settings.php" txtDate parameter in the Admin Panel.