CVE-2000-1104
Variant of the 'IIS Cross-Site Scripting' vulnerability as originally discussed in MS:MS00-060 (CVE-
Variant of the 'IIS Cross-Site Scripting' vulnerability as originally discussed in MS:MS00-060 (CVE-
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and
Koala Framework before 2011-11-21 has XSS via the request_uri parameter.
The Microsoft Anti-Cross Site Scripting (AntiXSS) Library 3.x and 4.0 does not properly evaluate cha
EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigg
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remo
Cross-site scripting (XSS) vulnerability in Microsoft System Center Operations Manager 2007 SP1 and
Cross-site scripting (XSS) vulnerability in Microsoft System Center Operations Manager 2007 SP1 and
Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS v
The Conceptronic C54APM access point with runtime code 1.26 has a default password of admin for the
Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper va
Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress al
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) bef
A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item o
The 'Social Pug - Easy Social Share Buttons' plugin before 1.2.6 for WordPress allows XSS via the wp
A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Sy
Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-628
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with
Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.
ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have XSS via the cgi
The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Pers
Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.
Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka 'Admi
Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly
XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows
The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cro
The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a ma
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name fiel
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions
A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing
Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the config.php page is affected by XS
In Support Incident Tracker (SiT!) 3.67, the id parameter is affected by XSS on all endpoints that u
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents.
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.js
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search p
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Conte
A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81
TopList before 2019-09-03 allows XSS via a title.
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter.
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandl
YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because crafted data can be written to the
An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability vi
Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI).
PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the src
: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/We
XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.
Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executin
OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite
The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to
The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS d
FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie steali
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can l
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The informa
Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by i
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions
Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers
Reflected XSS in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code
Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because no
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in mu
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i
RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms.
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple Persistent XSS vulnerabiliti
Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manag
Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content.
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to user
Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=
Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax wi
BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijackin
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is relat
OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator att
MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a
SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attac
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can le
An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs ari
An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related param
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
OX App Suite through 7.10.4 allows XSS via an inline binary file.
OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.
OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript
OX App Suite through 7.10.4 allows XSS via the subject of a task.
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip
The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before output
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parame
The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notic
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delet
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_creat
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape
The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter b
The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type par
The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter b
The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Sc
Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via t
Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or com
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) att
The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable
The 'first name' and 'last name' fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetyp
There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI WS318n product when processing network
OroPlatform is a PHP Business Application Platform. In affected versions the email template preview
The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to
An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulne
Insta HMS before 12.4.10 is vulnerable to XSS because of improper validation of user-supplied input
MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payload in the username field duri
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar
Lorensbergs Connect2 3.13.7647.20190 is affected by an XSS vulnerability. Exploitation requires admi
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Ca
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.
Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem.
keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
phoronix-test-suite is vulnerable to Improper Neutralization of Input During Web Page Generation ('C
orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-sit
Inappropriate implementation in HTML parser in Google Chrome prior to 99.0.4844.51 allowed a remote
Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template
Convos is an open source multi-user chat that runs in a web browser. Characters starting with 'https
Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in
WordPress is a free and open-source content management system written in PHP and paired with a Maria
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that
In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “se
In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name
In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS
In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in t
Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker
Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to
An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plug
The Team Members WordPress plugin before 5.2.1 does not sanitize and escapes some of its settings, w
PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Adm
The Superio WordPress theme does not sanitise and escape some parameters, which could allow users wi
The Image Optimizer, Resizer and CDN WordPress plugin before 6.8.1 does not sanitise and escape some
The WP Social Sharing WordPress plugin through 2.2 does not sanitise and escape some of its settings
The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its setti
The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some
The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which c
Nice (formerly Nortek) Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.3
The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode att
The WP-Lister Lite for Amazon WordPress plugin before 2.4.4 does not sanitize and escapes a paramete
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode att
The Members Import plugin for WordPress is vulnerable to Self Cross-Site Scripting via the user_logi
The 'Survey Maker – Best WordPress Survey Plugin' plugin for WordPress is vulnerable to Stored Cross