The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
XSS exists in the WebForms Pro M2 extension before 2.9.17 for Magento 2 via the textarea field.
A stored Cross-Site Scripting vulnerability (XSS) occurs when the server does not properly validate or encode the data entered by the user.
A vulnerability classified as problematic has been found in Tongda OA 11.10. Affected is an unknown function of the file /general/ipanel/menu_code.php?MENU_TYPE=FAV. The manipulation of the argument OA_SUB_WINDOW leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239868.
A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9. This affects an unknown part of the file /intranet/funcionario_vinculo_lst.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in PHPGurukul Taxi Stand Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the initFile.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php.
Event Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the full_name parameter under register.php.
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the module form name field.
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
A vulnerability, which was classified as problematic, has been found in PHPGurukul Online Banquet Booking System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument user_login/userpassword leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.
The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][controller] is non-persistent in 10.1.3 and 10.2.0.
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter password is non-persistent in 10.2.0.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the event filter name field.
A vulnerability classified as problematic was found in Portabilis i-Educar 2.9. This vulnerability affects unknown code of the file /intranet/pesquisa_pessoa_lst.php. The manipulation of the argument campo_busca/cpf leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field.
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=<script>alert(document.cookie)</script>" and "/queues/><img src=a onerror=alert(document.cookie)>". This issue has been patched in version 2.2.1.
Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
A vulnerability was found in Campcodes Online Movie Theater Seat Reservation System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=reserve of the component Reserve Your Seat Page. The manipulation of the argument Firstname/Lastname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.
tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes.
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice allows Reflected XSS.This issue affects Woffice: from n/a through 5.4.8.
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 273333.
Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via service elements.
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Affected by this issue is some unknown functionality of the file /educar_aluno_lst.php. The manipulation of the argument ref_cod_matricula with the input "><img%20src=x%20onerror=alert(%27CVE-Hunters%27)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to, and including, 18.2. This is due to lacking authentication protections and santisation all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 allow remote attackers to execute arbitrary code via signup form in the Name and Phone number field.
JBoss AeroGear has reflected XSS via the password field
Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp parameter.
A vulnerability was found in Portabilis i-Educar 2.9. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /intranet/educar_servidor_lst.php. The manipulation of the argument nome/matricula_servidor leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field.
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.
A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file fill_details.php of the component Error Message Handler. The manipulation of the argument email leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Unauthenticated cross-site scripting (XSS) in Netgear WAC120 AC Access Point may lead to mulitple attacks like session hijacking even clipboard hijacking.
A vulnerability was found in GamerZ WP-PostRatings up to 1.64. It has been classified as problematic. This affects an unknown part of the file wp-postratings.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.65 is able to address this issue. The identifier of the patch is 6182a5682b12369ced0becd3b505439ce2eb8132. It is recommended to upgrade the affected component. The identifier VDB-259629 was assigned to this vulnerability.
PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document
The Coming Soon by Supsystic WordPress plugin before 1.7.6 does not sanitise and escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.