Vulnerabilities (CVE)

Multiple cross-site scripting (XSS) vulnerabilities in Alt-N MDaemon Free 12.5.4 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) the Cascading Style Sheets (CSS) expression property in conjunction with a CSS comment within the STYLE attribute of an IMG element, (2) the CSS expression property in conjunction with multiple CSS comments within the STYLE attribute of an arbitrary element, or (3) an innerHTML attribute within an XML document.

Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.

Cross-site scripting (XSS) vulnerability in the template module in SmartyCMS 0.9.4 allows remote attackers to inject arbitrary web script or HTML via the title bar.

Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 6.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted content that is not properly handled during a copy-and-paste operation.

Cross-site scripting (XSS) vulnerability in search.php in Support Incident Tracker (aka SiT!) 3.65 allows remote attackers to inject arbitrary web script or HTML via the search_string parameter.

Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message.

Multiple cross-site scripting (XSS) vulnerabilities in Mailtraq 2.17.3.3150 allow remote attackers to inject arbitrary web script or HTML via an e-mail message subject with (1) a JavaScript alert function used in conjunction with the fromCharCode method or (2) a SCRIPT element; an e-mail message body with (3) a crafted SRC attribute of an IFRAME element, (4) a data: URL in the CONTENT attribute of an HTTP-EQUIV="refresh" META element, or (5) a Cascading Style Sheets (CSS) expression property in ... Multiple cross-site scripting (XSS) vulnerabilities in Mailtraq 2.17.3.3150 allow remote attackers to inject arbitrary web script or HTML via an e-mail message subject with (1) a JavaScript alert function used in conjunction with the fromCharCode method or (2) a SCRIPT element; an e-mail message body with (3) a crafted SRC attribute of an IFRAME element, (4) a data: URL in the CONTENT attribute of an HTTP-EQUIV="refresh" META element, or (5) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an IMG element; or an e-mail message Date header with (6) a JavaScript alert function used in conjunction with the fromCharCode method, (7) a SCRIPT element, (8) a CSS expression property in the STYLE attribute of an arbitrary element, (9) a crafted SRC attribute of an IFRAME element, or (10) a data: URL in the CONTENT attribute of an HTTP-EQUIV="refresh" META element.

Show More

Multiple cross-site scripting (XSS) vulnerabilities in admin/admin_login.php in Uiga Fan Club, as downloaded on 20100310, allow remote attackers to inject arbitrary web script or HTML via the (1) admin_name and (2) admin_password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in index.php in oBlog allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal allow remote authenticated users with the administer product classes permission to inject arbitrary web script or HTML via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP Referer header to saa.php, (2) username parameter to login.php, or (3) keyword_list parameter to keysearch.php.

Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy.php in LightNEasy 3.2.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) commentemail, (2) commentmessage, or (3) commentname parameter in a sendcomment action for the news page.

Cross-site scripting (XSS) vulnerability in LightNEasy.php in LightNEasy 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, which is not properly handled in a forced SQL error message.

Cross-site scripting (XSS) vulnerability in the Cool Aid module before 6.x-1.9 for Drupal allows remote authenticated users with the administer coolaid permission to inject arbitrary web script or HTML via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in Sonexis ConferenceManager 9.2.11.0 allow remote attackers to inject arbitrary web script or HTML via (1) the txtConferenceID parameter to HostLogin.asp, (2) the txtConferenceID parameter to ParticipantLogin.asp, (3) the acp parameter to ForgotPIN.asp, or the (4) Description, (5) title, or (6) Heading parameter to Error.asp.

Cross-site scripting (XSS) vulnerability in HP Version Control Repository Manager (VCRM) before 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or HTML via the title parameter in (1) data.views.inc and (2) data_ui/data_ui.admin.inc.

Cross-site scripting (XSS) vulnerability in the web-wizard setup page on Cisco Scientific Atlanta D20 and D30 cable modems allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.

Cross-site scripting (XSS) vulnerability in the Calendar Base (cal) extension before 1.1.1 for TYPO3, when Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via "search parameters."

Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the dbuser parameter, a different vulnerability than CVE-2012-0318.

Cross-site scripting (XSS) vulnerability in Outlook Web Access in Microsoft Exchange Server 2010 SP2 and SP3 and 2013 Cumulative Update 2 and 3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "OWA XSS Vulnerability."

Cross-site scripting (XSS) vulnerability in the file-upload interface in Cisco Identity Services Engine (ISE) allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename, aka Bug ID CSCui67495.

Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupWise 8.x before 8.0 SP2 allows remote attackers to inject arbitrary web script or HTML via a crafted message, related to "replies."

Multiple cross-site scripting (XSS) vulnerabilities in netmri/config/userAdmin/login.tdf in Infoblox NetMRI 6.0.2.42, 6.1.2, 6.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) eulaAccepted or (2) mode parameter.

Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from ... Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from third party information.

Show More

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username.

Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components ... Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.

Show More

Cross-site scripting (XSS) vulnerability in the poll module in Subrion CMS 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the title field. NOTE: some of these details are obtained from third party information. NOTE: this might overlap CVE-2012-5452.

Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers to inject arbitrary web script or HTML via the Username parameter.

Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allows remote attackers to inject arbitrary web script or HTML via the ns parameter in a medialist action to lib/exe/ajax.php.

Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter in a move or (2) minimize action to admin/admin_index.php; (3) the karma_username parameter to module.php in the karma module; (4) q_1_low, (5) q_1_high, (6) q_2_low, or (7) q_2_high parameter in a configure action to module.php in the captcha module; or (8) the edit parameter to module.php in the admin_language module.

Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the Summary field, a different vector than CVE-2010-3303.

Cross-site scripting (XSS) vulnerability in the Contacts Application in HP Palm webOS before 2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted vCard file.

Cross-site scripting (XSS) vulnerability in Cisco Unified Communications Domain Manager allows remote attackers to inject arbitrary web script or HTML via a crafted parameter value, aka Bug ID CSCue21042.

Cross-site scripting (XSS) vulnerability in ajax.php in evalSMSI 2.1.03 allows remote attackers to inject arbitrary web script or HTML via the return parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 6.0a4 allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IFRAME element in the body of an HTML e-mail message.

Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.1 allows remote attackers to inject arbitrary web script or HTML via multiple URLs in an img tag.

Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_email, (2) header_title, (3) site_title parameter to admin/settings; (4) recaptcha_private or (5) recaptcha_public parameter to admin/captcha_settings; (6) fb_appid, (7) fp_secret, (8) tw_consumer_key, or (9) tw_consumer_secret parameter to admin/social_settings; (10) slug parameter to admin/gallery/save_item_settings; or (11) item_link p ... Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 and 1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_email, (2) header_title, (3) site_title parameter to admin/settings; (4) recaptcha_private or (5) recaptcha_public parameter to admin/captcha_settings; (6) fb_appid, (7) fp_secret, (8) tw_consumer_key, or (9) tw_consumer_secret parameter to admin/social_settings; (10) slug parameter to admin/gallery/save_item_settings; or (11) item_link parameter to admin/edit_menu_item_ajax. NOTE: this issue might be resultant from CSRF.

Show More