Slims9 Bulian 9.4.2 is affected by Cross Site Scripting (XSS) in /admin/modules/system/custom_field.php.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Cloud Primero B.V DBargain plugin <= 3.0.0 versions.
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX80 before 1.0.1.64, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 2.6.1.4.
NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.
Certain NETGEAR devices are affected by stored XSS. This affects R7000 before 1.0.11.110, R7900 before 1.0.4.30, R8000 before 1.0.4.62, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106.
The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel.
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Palasthotel by Edward Bock, Katharina Rompf Sunny Search plugin <= 1.0.2 versions.
Certain NETGEAR devices are affected by stored XSS. This affects R6120 before 1.0.0.76, R6260 before 1.1.0.78, R6850 before 1.1.0.78, R6350 before 1.1.0.78, R6330 before 1.1.0.78, R6800 before 1.2.0.76, R6700v2 before 1.2.0.76, R6900v2 before 1.2.0.76, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, and AC2600 before 1.2.0.76.
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.
Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.
An issue was discovered CMS MaeloStore V.1.5.0. There is stored XSS in the Telephone field of the admin interface.
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page.
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php.
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the User List Section in login panel.
Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.
Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.36, EAX80 before 1.0.1.62, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 2.6.1.4.
The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?post_type=forum (aka the Forum listing page) for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI.
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.
Form Builder 2.1.0 for Magento has multiple XSS issues that can be exploited against Magento 2 admin accounts via the Current_url or email field, or the User-Agent HTTP header.
Certain NETGEAR devices are affected by Stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.78, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, and RAX40 before 1.0.3.62.
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
Certain NETGEAR devices are affected by stored XSS. This affects RAX200 before 1.0.5.126, RAX20 before 1.0.2.82, RAX80 before 1.0.5.126, RAX15 before 1.0.2.82, and RAX75 before 1.0.5.126.
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, RAX200 before 1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R8000P before 1.4.1.66, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, R7900P before 1.4.1.66, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.
Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7000 before 1.0.11.116, R7900 before 1.0.4.38, R8000 before 1.0.4.68, RAX200 before 1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R7000P before 1.3.2.126, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, R6900P before 1.3.2.126, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Settings Section in login panel.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moss Web Works MWW Disclaimer Buttons allows Stored XSS.This issue affects MWW Disclaimer Buttons: from n/a through 3.0.2.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.
An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.
The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eji Osigwe DevBuddy Twitter Feed plugin <= 4.0.0 versions.
Certain NETGEAR devices are affected by stored XSS. This affects RAX200 before 1.0.3.106, MR60 before 1.0.6.110, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106.
A vulnerability was found in Portabilis i-Educar 2.10. It has been classified as problematic. This affects an unknown part of the file /intranet/public_municipio_cad.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.6 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alkaweb Eonet Manual User Approve plugin <= 2.1.3 versions.
A vulnerability classified as problematic has been found in Portabilis i-Educar 2.10. Affected is an unknown function of the file /intranet/educar_raca_cad.php. The manipulation of the argument nm_raca leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.