Vulnerabilities (CVE)

Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Audit Community 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the group name.

DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.

Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280.

ecard.php in Coppermine Photo Gallery (CPG) 1.5.46 has XSS via the sender_name, recipient_email, greetings, or recipient_name parameter.

GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation.

The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php.

There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1.

blog/index.php in SansCMS 0.7 has XSS via the q parameter.

MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.

An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.

An issue was discovered in Creme CRM 1.6.12. The organization creation page is affected by 9 stored cross-site scripting vulnerabilities involving the name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.

An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.

The New Threads plugin before 1.2 for MyBB has XSS.

joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_device array parameter.

The Website Manager module in SEO Panel 3.13.0 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability, allowing remote authenticated attackers to inject arbitrary web script or HTML via the websites.php name parameter.

InstantCMS 2.10.1 has /redirect?url= XSS.

In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.

PHP Scripts Mall JOB SITE (aka Job Portal) 3.0.1 has Cross-site Scripting (XSS) via the search bar.

Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions.

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the appli ... Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.

Show More

Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page.

Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.

Catfish CMS v4.7.9 allows XSS via the admin/Index/write.html editorValue parameter (aka an article posted by an administrator).

ClipperCMS 1.3.3 has stored XSS via the Full Name field of (1) Security -> Manager Users or (2) Security -> Web Users.

ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php.

A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html.

An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.

An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism.

edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XSS via an onmouseover payload because of an inadequate XSS protection mechanism based on preg_replace.

Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.

Insufficient input validation in the gridExcelExport functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute reflected cross-site scripting attacks.

A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated web server of the affected CP devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into following a malicious link. User interaction is required for a successful exploitation. At the time of advisory publication no public exploitation of this vulnerability was known.

Boostnote v0.11.7 allows XSS during highlighting of Markdown text, as demonstrated by an onerror attribute of an IMG element.

admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows XSS by adding or editing a tag.

TCExam before 14.1.2 has XSS via an ff_ or xl_ field.

An issue was discovered in Jirafeau before 3.4.1. The "search file by hash" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges.

An issue was discovered in Jirafeau before 3.4.1. The "search file by link" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges.