A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be launched remotely. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
The WP Datepicker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpdp_get_selected_datepicker' parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php.
A vulnerability, which was classified as problematic, has been found in CodeAstro Restaurant POS System 1.0. Affected by this issue is some unknown functionality of the file create_account.php. The manipulation of the argument Full Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-253010 is the identifier assigned to this vulnerability.
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
A vulnerability was found in SourceCodester Multi Role Login System 1.0. It has been classified as problematic. Affected is an unknown function of the file /endpoint/add-user.php. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A remote attacker could inject arbitrary code into a targeted userâs web browser to gain access to the affected device.
The Push Notification for Post and BuddyPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pushnotificationid' parameter in all versions up to, and including, 2.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Export Customers Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 't' parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
SolidInvoice 2.3.7 and fixed in v.2.3.8 is vulnerable to Cross Site Scripting (XSS) in the Tax Rate functionality.
The animate-it plugin before 2.3.4 for WordPress has XSS.
SolidInvoice 2.3.7 and v.2.3.8 is vulnerable to Cross Site Scripting (XSS) in the client's functionality.
A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
A vulnerability classified as problematic has been found in PHPGurukul Land Record System 1.0. This affects an unknown part of the file /index.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Jspxcms 10.2.0. It has been classified as problematic. Affected is an unknown function of the file /ext/collect/find_text.do. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252996.
The WP-Appbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.3.0000.
EMC RSA Web Threat Detection version 5.0, RSA Web Threat Detection version 5.1, RSA Web Threat Detection version 5.1.2 has a cross site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
A vulnerability was found in code-projects Simple Admin Panel 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file addSizeController.php. The manipulation of the argument size leads to cross site scripting. The attack can be launched remotely.
The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link.
A vulnerability, which was classified as problematic, was found in ruifang-tech Rebuild 3.8.5. Affected is an unknown function of the component Task Comment Attachment Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
A vulnerability, which was classified as problematic, was found in ZeroWdd myblog 1.0. Affected is the function update of the file src/main/java/com/wdd/myblog/controller/admin/BlogController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
A vulnerability has been found in SourceCodester Product Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /supplier.php. The manipulation of the argument supplier_name/supplier_contact leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253012.
The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.
Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset` parameter.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
A vulnerability was found in itsourcecode Vehicle Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /billaction.php. The manipulation of the argument extra-cost leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Nokia IMPACT < 18A: has Reflected self XSS
A vulnerability classified as problematic has been found in PHPGurukul Land Record System 1.0. Affected is an unknown function of the file /admin/admin-profile.php. The manipulation of the argument Admin Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as problematic has been found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/update_room.php of the component Chat Room Page. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely.
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 155345.
The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
A vulnerability classified as problematic was found in CodeAstro University Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /st_reg.php of the component Student Registration Form. The manipulation of the argument Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-253009 was assigned to this vulnerability.
The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The OPSI Israel Domestic Shipments WordPress plugin through 2.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Zucchetti InfoBusiness before and including 4.4.1. The browsing component did not properly sanitize user input (encoded in base64). This also applies to the search functionality for the searchKey parameter.
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
JBoss BRMS before 5.1.0 has a XSS vulnerability via asset=UUID parameter.
The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
The wp-piwik plugin before 1.0.5 for WordPress has XSS.
A vulnerability was found in PHPGurukul Land Record System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/contactus.php. The manipulation of the argument Page Description leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252995.