In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step
In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page
In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible
In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible
In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration
Multiple Stored Cross Site Scripting (XSS) vulnerabilities were discovered in Mida eFramework through 2.9.0.
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid credentials to access the web-based management interface of an affected device.
PQI AirCard has persistent XSS
<p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.</p>
Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.
Microsoft Exchange Server Remote Code Execution Vulnerability
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .
Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a physically proximate attacker to execute arbitrary code via the library name function in the general settings component.
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`.
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.
IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 297720.
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269692.
<p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.</p>
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.