| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The SportsPress plugin before 2.7.2 for WordPress allows XSS. |
| The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard. |
| showAlert() in the administration panel in Bludit 3.12.0 allows XSS. |
| Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, users_management_edit.php, and user_management.php. |
| An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name. |
| An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name. |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links. |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations. |
| Artica Pandora FMS 7.44 has persistent XSS in the Messages feature. |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. |
| phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. |
| A cross-site scripting (XSS) vulnerability in i-doit 1.14.2 allows remote attackers to inject arbitrary web script or HTML via the viewMode, tvMode, tvType, objID, catgID, objTypeID, or editMode parameter. |
| An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker. |
| Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. |
| Extreme EAC Appliance 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. |
| An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It allows information disclosure of a hardcoded username and password in the DocuSign plugin. |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/feeds/feed.class.php. |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/websites/website.class.php. |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php. |
