| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. |
| Cross-site scripting (XSS) vulnerability in the Content Cards plugin before 0.9.7 for WordPress allows remote attackers to inject arbitrary JavaScript via crafted OpenGraph data. |
| Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter. |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter. |
| The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter. |
| A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php. |
| Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP-Link TL-SG108E 1.0.0 allows authenticated remote attackers to submit arbitrary java script via the 'sysName' parameter. |
| Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. |
| Multiple cross-site scripting (XSS) vulnerabilities in the esb-csv-import-export plugin through 1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cie_type, (2) cie_import, (3) cie_update, or (4) cie_ignore parameter to includes/admin/views/esb-cie-import-export-page.php. |
| Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request. |
| Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter or the admin/userview.php uid parameter. |
| The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5. |
| Cross site scripting (XSS) vulnerability in the markup_clean_href function in inc/conv.php in BlogoText through 3.7.6 allows remote attackers to inject arbitrary JavaScript via a comment. |
| The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. |
| The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. |
| Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter. |
| Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request. |
| ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page). |
