| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cross-site scripting (XSS) vulnerability in the Content Cards plugin before 0.9.7 for WordPress allows remote attackers to inject arbitrary JavaScript via crafted OpenGraph data. |
| wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. |
| Cross-site scripting (XSS) vulnerability in the "Response request" function in Cybozu Garoon before 4.2.2. |
| wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. |
| custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality. |
| There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Personnel Advanced Query. A remote attacker can execute arbitrary HTML and script code in the browser in the context of the vulnerable application. |
| Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php. |
| The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. |
| The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. |
| b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. |
| Cross - site scripting (XSS) vulnerability in UrBackup Server before 2.1.20 allows remote attackers to inject arbitrary web script or HTML via the action parameter. |
| MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter. |
| In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. |
| In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action. |
| In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action. |
| The Public tologin feature in admin.php in LvyeCMS through 3.1 allows XSS via a crafted username that is mishandled during later log viewing by an administrator. |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134064. |
| Cross-site scripting (XSS) vulnerability in MistServer before 2.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to failed authentication requests alerts. |
| b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java, service/ArticleQueryService.java, service/AvatarQueryService.java, and service/CommentQueryService.java. |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos. |
