| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. |
| Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.0 RC2 through 1.1.4 allows remote attackers to inject arbitrary web script or HTML via a javascript URI with an SGML numeric character reference in the url BBCode tag, as demonstrated using "javascript". |
| Cross-site scripting (XSS) vulnerability in Nokia Electronic Documentation (NED) 5.0 allows remote attackers to execute arbitrary web script and steal cookies via a URL to the docs/ directory that contains the script. |
| Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. |
| Cross-site scripting vulnerability in eintrag.php in Gästebuch (Gastebuch) before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the URL, which is used in the homepage parameter. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through <= 1.7. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.16. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.38. |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0. |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1. |
| The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
| The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
