Insufficient data validation in Trusted Types in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass trusted types policy via a crafted HTML page.
The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add Member section.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Blog2Social, Adenion Blog2Social: Social Media Auto Post & Scheduler plugin <= 7.2.0 versions.
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
A vulnerability classified as problematic has been found in SourceCodester One Church Management System. Affected are multiple files and parameters which are prone to to cross site scripting. It is possible to launch the attack remotely.
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 24, 2020 (v16 and earlier for the Cloud Access Connector) contains a stored cross-site scripting (XSS) vulnerability which allows a remote unauthenticated attacker to poison log files with malicious JavaScript via the login page which is executed when an administrator views the logs within the application.
Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Qode Interactive Bridge Core plugin <= 3.0.9 versions.
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov XML for Google Merchant Center plugin <= 3.0.1 versions.
The WooCommerce - Product Importer WordPress plugin through 1.5.2 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.8 versions.
A vulnerability, which was classified as problematic, was found in yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991. This affects an unknown part of the component Student Management Handler. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.
The Turn off all comments WordPress plugin through 1.0 does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application
The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.
The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue
A vulnerability, which was classified as problematic, has been found in School Club Application System 1.0. This issue affects access to /scas/admin/. The manipulation of the parameter page with the input %22%3E%3Cimg%20src=x%20onerror=alert(1)%3E leads to a reflected cross site scripting. The attack may be initiated remotely and does not require any form of authentication. The exploit has been disclosed to the public and may be used.
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cross-Site Scripting in Badge Registration V-2023-005.
A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.
UliCMS before 2020.2 has PageController stored XSS.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BrainCert BrainCert – HTML5 Virtual Classroom allows Reflected XSS.This issue affects BrainCert – HTML5 Virtual Classroom: from n/a through 1.30.
Reflected cross-site scripting vulnerability in VI Web Client prior to 7.9.6 allows a remote unauthenticated attacker to inject an arbitrary script.
code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code.
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Cross Site Scripting (XSS) V-2023-017.
Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module.
A vulnerability exists in the errorpage.php file of the CS2-WeaponPaints-Website v2.1.7 where user-controlled input is not adequately validated before being processed. Specifically, the $_GET['errorcode'] parameter can be manipulated to access unauthorized error codes, leading to Cross-Site Scripting (XSS) attacks and information disclosure.
A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web application’s response. This vulnerability occurs when user-controlled input is reflected back into the browser without proper sanitization or encoding.
A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /daymanager/daymanageabilitycontroller.java.
The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells.
Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.
The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system.
An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2.
The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email.
SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.
flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories.
PbootCMS v3.2.9 contains a XSS vulnerability in admin.php?p=/Content/index/mcode/2#tab=t2.
Reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Clinic Queuing System. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the id parameter in /manage_user.php.
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.