CVE-2021-42360

On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the editposts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block...

CVE-2021-25978

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed...

CVE-2021-45822

A cross-site scripting vulnerability is present in Xbtit 3.1. The stored XSS vulnerability occurs because /ajaxchat/sendChatData.php does not properly validate the value of the "n" POST parameter. Through this vulnerability, an attacker is capable to execute malicious JavaScript code...

CVE-2021-24159

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clickin...

CVE-2021-20112

A stored cross-site scripting vulnerability exists in TCExam = 14.8.1. Valid files uploaded via tceselectmediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tceselectmediafile.php could upload a malicious javascript payload which would b...

CVE-2020-13176

The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 24, 2020 v16 and earlier for the Cloud Access Connector contains a stored cross-site scripting XSS vulnerability which allows a remote unauthenticated attacker to poison l...

CVE-2020-4052

In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.j...

CVE-2020-7642

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

CVE-2017-11739

In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the...

CVE-2019-16751

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

CVE-2019-14432

Incorrect authentication of application WebSocket connections in Loom Desktop for Mac up to 0.16.0 allows remote code execution from either malicious JavaScript in a browser or hosts on the same network, during periods in which a user is recording a video with the application. The same attack...

CVE-2019-13070

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/actionrecipient Event Action/Recipient page, the embedded code will be...

CVE-2019-10049

It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code that is executed in the context of the victim use...

CVE-2019-7940

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with...

CVE-2017-1000223

A stored web content injection vulnerability WCI, a.k.a XSS is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an...

CVE-2025-40633

A Stored Cross-Site Scripting XSS vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint...

Koibox 跨站脚本漏洞

Koibox is a beauty center management software from Koibox, Inc. A cross-site scripting vulnerability exists in versions prior to Koibox e8cbce2, which stems from allowing the upload of images containing malicious JavaScript, which could lead to a stored cross-site scripting attack...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10676)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10675)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2025-10674)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript...