changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
A vulnerability, which was classified as problematic, has been found in Pro2col Stingray FTS. The manipulation of the argument Username leads to cross site scripting. The attack may be initiated remotely. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
A vulnerability was found in CLTPHP up to 6.0. It has been declared as problematic. Affected by this vulnerability is the POST Parameter Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 allows a remote attacker to execute arbitrary code via a crafted script to the click here function.
The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.
The embedded neutralization of Script-Related HTML Tag, was by-passed in the case of some extra conditions.
The Domain Replace WordPress plugin through 1.3.8 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.
The Delete Old Orders WordPress plugin through 0.2 does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting
The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting
A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.
unmark 1.9.2 is vulnerable to Cross Site Scripting (XSS) via application/views/marks/add_by_url.php.
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.
A vulnerability, which was classified as problematic, was found in GZ Scripts PHP GZ Hotel Booking Script 1.8. This affects an unknown part of the file /load.php. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-233355. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
Insufficient data validation in Trusted Types in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass trusted types policy via a crafted HTML page.
A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.
The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0194.
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0.
The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them
The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
An unauthenticated reflected cross-site scripting (XSS) vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 allows attackers to execute arbitrary javascript on a victim's browser via a crafted link.
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.
The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8.
Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. With this vulnerability an attacker could pass literal values as the test credentials, providing the opportunity for a potential XSS attack. This issue is fixed in Rapid7 Nexpose version 6.6.130.
SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interface (admin/users.php), allowing an unauthenticated remote attacker to inject arbitrary JavaScript that executes in an administrator's browser upon viewing the affected page.
The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.1.
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
The Admin Menu Editor WordPress plugin through 1.0.4 does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...
The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
The simple-membership plugin before 3.5.7 for WordPress has XSS.
The Advanced Admin Search WordPress plugin before 1.1.6 does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting.
Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.
All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.
MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.