Skip to main content

174 docs tagged with "Cross-Site_Scripting"

View all tags

CVE-2000-1104

Variant of the 'IIS Cross-Site Scripting' vulnerability as originally discussed in MS:MS00-060 (CVE-

CVE-2007-0045

Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and

CVE-2011-5018

Koala Framework before 2011-11-21 has XSS via the request_uri parameter.

CVE-2012-0007

The Microsoft Anti-Cross Site Scripting (AntiXSS) Library 3.x and 4.0 does not properly evaluate cha

CVE-2012-1915

EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS

CVE-2012-2899

Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigg

CVE-2012-6433

Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remo

CVE-2013-0009

Cross-site scripting (XSS) vulnerability in Microsoft System Center Operations Manager 2007 SP1 and

CVE-2013-0010

Cross-site scripting (XSS) vulnerability in Microsoft System Center Operations Manager 2007 SP1 and

CVE-2014-0183

Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS v

CVE-2014-1408

The Conceptronic C54APM access point with runtime code 1.26 has a default password of admin for the

CVE-2014-1454

Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper va

CVE-2014-4553

Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress al

CVE-2014-8674

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) bef

CVE-2014-9405

A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item o

CVE-2016-10736

The 'Social Pug - Easy Social Share Buttons' plugin before 1.2.6 for WordPress allows XSS via the wp

CVE-2016-6588

A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Sy

CVE-2018-14481

Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-628

CVE-2018-16887

A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with

CVE-2018-19600

Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.

CVE-2018-20326

ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have XSS via the cgi

CVE-2018-20663

The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Pers

CVE-2018-20680

Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.

CVE-2018-20682

Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka 'Admi

CVE-2019-11763

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly

CVE-2019-14918

XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows

CVE-2019-15602

The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cro

CVE-2019-15603

The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a ma

CVE-2019-16956

SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.

CVE-2019-16960

SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name fiel

CVE-2019-17022

When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does

CVE-2019-18588

Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions

CVE-2019-18652

A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing

CVE-2019-18859

Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.

CVE-2019-19265

IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS

CVE-2019-19266

IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS

CVE-2019-19311

GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.

CVE-2019-20221

In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the config.php page is affected by XS

CVE-2019-20223

In Support Incident Tracker (SiT!) 3.67, the id parameter is affected by XSS on all endpoints that u

CVE-2019-20363

An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents.

CVE-2019-20364

An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.js

CVE-2019-20365

An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search p

CVE-2019-20366

An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Conte

CVE-2019-20374

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81

CVE-2019-20378

ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter.

CVE-2019-20379

ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.

CVE-2019-3501

The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandl

CVE-2019-5310

YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because crafted data can be written to the

CVE-2019-5311

An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability vi

CVE-2019-6243

Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI).

CVE-2019-6248

PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the src

CVE-2019-9537

: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

CVE-2019-9538

: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

CVE-2019-9539

: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

CVE-2019-9540

: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

CVE-2019-9542

: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability

CVE-2020-13116

OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy

CVE-2020-23643

XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/We

CVE-2020-23644

XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.

CVE-2020-23849

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executin

CVE-2020-24701

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite

CVE-2020-24900

The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to

CVE-2020-24901

The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS d

CVE-2020-26046

FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie steali

CVE-2020-26293

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can l

CVE-2020-26713

REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The informa

CVE-2020-26768

Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by i

CVE-2020-35170

Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions

CVE-2020-35203

Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers

CVE-2020-35204

Reflected XSS in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code

CVE-2020-35206

Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers

CVE-2020-35717

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because no

CVE-2020-35719

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35720

Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in mu

CVE-2020-35721

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35723

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35724

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35725

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35726

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-35727

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code i

CVE-2020-36190

RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms.

CVE-2020-5191

PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple Persistent XSS vulnerabiliti

CVE-2020-5305

Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manag

CVE-2020-5306

Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content.

CVE-2020-5497

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to user

CVE-2020-5842

Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=

CVE-2020-5843

Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.

CVE-2020-6163

The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax wi

CVE-2020-6583

BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijackin

CVE-2020-6632

In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is relat

CVE-2020-6847

OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator att

CVE-2020-8160

MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a

CVE-2021-21447

SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attac

CVE-2021-21494

MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can le

CVE-2021-23124

An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs ari

CVE-2021-23125

An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related param

CVE-2021-23928

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.

CVE-2021-23929

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML

CVE-2021-23930

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.

CVE-2021-23931

OX App Suite through 7.10.4 allows XSS via an inline binary file.

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.

CVE-2021-23933

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

CVE-2021-23934

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.

CVE-2021-23935

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript

CVE-2021-23936

OX App Suite through 7.10.4 allows XSS via the subject of a task.

CVE-2021-24680

The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip

CVE-2021-24828

The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of

CVE-2021-24963

The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before output

CVE-2021-24964

The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming

CVE-2021-24973

The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parame

CVE-2021-24991

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab

CVE-2021-24999

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notic

CVE-2021-25000

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delet

CVE-2021-25001

The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_creat

CVE-2021-25016

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise

CVE-2021-25022

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape

CVE-2021-25027

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter b

CVE-2021-25040

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type par

CVE-2021-25043

The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter b

CVE-2021-25047

The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Sc

CVE-2021-3002

Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.

CVE-2021-3014

In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via t

CVE-2021-3026

Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or com

CVE-2021-3111

The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data

CVE-2021-36737

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) att

CVE-2021-36738

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable

CVE-2021-36739

The 'first name' and 'last name' fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetyp

CVE-2021-40041

There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI WS318n product when processing network

CVE-2021-41236

OroPlatform is a PHP Business Application Platform. In affected versions the email template preview

CVE-2021-41823

The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to

CVE-2021-42558

An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulne

CVE-2021-42841

Insta HMS before 12.4.10 is vulnerable to XSS because of improper validation of user-supplied input

CVE-2021-43436

MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payload in the username field duri

CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar

CVE-2021-43960

Lorensbergs Connect2 3.13.7647.20190 is affected by an XSS vulnerability. Exploitation requires admi

CVE-2021-46078

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System

CVE-2021-46144

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Ca

CVE-2021-46146

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

CVE-2021-46150

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

CVE-2021-46163

Kentico Xperience 13.0.44 allows XSS via an XML document to the Media Libraries subsystem.

CVE-2022-0087

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S

CVE-2022-0121

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2022-0157

phoronix-test-suite is vulnerable to Improper Neutralization of Input During Web Page Generation ('C

CVE-2022-0159

orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-sit

CVE-2022-0801

Inappropriate implementation in HTML parser in Google Chrome prior to 99.0.4844.51 allowed a remote

CVE-2022-21648

Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template

CVE-2022-21649

Convos is an open source multi-user chat that runs in a web browser. Characters starting with 'https

CVE-2022-21650

Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in

CVE-2022-21662

WordPress is a free and open-source content management system written in PHP and paired with a Maria

CVE-2022-21932

Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

CVE-2022-22109

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that

CVE-2022-22114

In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “se

CVE-2022-22115

In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name

CVE-2022-22116

In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS

CVE-2022-22117

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in t

CVE-2022-34322

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker

CVE-2022-34323

Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to

CVE-2022-37787

An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plug

CVE-2022-3936

The Team Members WordPress plugin before 5.2.1 does not sanitize and escapes some of its settings, w

CVE-2022-40711

PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Adm

CVE-2022-4114

The Superio WordPress theme does not sanitise and escape some parameters, which could allow users wi

CVE-2022-4119

The Image Optimizer, Resizer and CDN WordPress plugin before 6.8.1 does not sanitise and escape some

CVE-2022-4198

The WP Social Sharing WordPress plugin through 2.2 does not sanitise and escape some of its settings

CVE-2022-4200

The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its setti

CVE-2022-4256

The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some

CVE-2022-4260

The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which c

CVE-2022-42710

Nice (formerly Nortek) Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.3

CVE-2022-4329

The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a

CVE-2022-4362

The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode att

CVE-2022-4369

The WP-Lister Lite for Amazon WordPress plugin before 2.4.4 does not sanitize and escapes a paramete

CVE-2022-4381

The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode att

CVE-2022-4663

The Members Import plugin for WordPress is vulnerable to Self Cross-Site Scripting via the user_logi

CVE-2023-0038

The 'Survey Maker – Best WordPress Survey Plugin' plugin for WordPress is vulnerable to Stored Cross