Cross-Site Scripting in express-cart

All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is currently...

Cross-Site Scripting in highcharts

Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link...

WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored XSS

Multiple stored cross-site scripting vulnerabilities in WP Customer Reviews 3.4.2 and lower allow remote attackers to inject arbitrary JavaScript code or HTML. PoC If WP Customer Reviews is enabled on a page, an unauthenticated attacker can exploit XSS via review form's parameters: - Reviewer Nam...

Cross-Site Scripting (XSS)

tinymce is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript in a user's browser when the library is configured in classic editing mode. The stripping and sanitization logic of TinyMCE can be bypassed using nested and non-terminated HTML tags,...

Cross-Site Scripting (XSS)

prismjs is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript via the easing preview of the Previewers plugin...

Cross-Site Scripting (XSS)

Jenkins is vulnerable to cross-site scripting. The agent name in the build time trend page is not validated, allowing an attacker to inject and execute arbitrary Javascript in a user's browser...

Cross site scripting

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID...

CVE-2020-4542

The CVE-2020-4542 entry describes a cross-site scripting vulnerability in IBM Jazz Foundation and IBM Engineering products, allowing an attacker to embed arbitrary JavaScript in the Web UI and potentially disclose credentials within a trusted session. Affected products/versions include IBM RQM (6...

CVE-2020-11583

A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter...

Security Bulletin: Financial Transaction Manager for High Value Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560)

Summary This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Vulnerability Details CVEID: CVE-2020-4560 DESCRIPTION: IBM Financial Transaction Manager is...

Cross-site Scripting (XSS)

magento is vulnerable to cross-site scripting XSS. The vulnerability exists as it does not sanitize the values of importedfile, 'Download', and $row-getData'errorfile', allowing an attacker to inject and execute arbitrary Javascript in a user's browser...

CVE-2020-4645

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...

CVE-2019-18834

Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCSAdminPostTypes in class-wcs-admin-post-types.php...

Cross site scripting

Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCSAdminPostTypes in class-wcs-admin-post-types.php...

CVE-2019-18834

Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCSAdminPostTypes in class-wcs-admin-post-types.php...

CVE-2020-14063

A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the...

Cross site scripting

A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the...

CVE-2020-14063

A stored Cross-Site Scripting XSS vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the...

Cross site scripting

docsify prior to 4.11.4 is susceptible to Cross-site Scripting XSS. Docsify.js uses fragment identifiers parameters after sign to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the // domain.com///attacker.com and render...

Cross-Site Scripting (XSS)

francoisjacquet/rosariosis is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via the includeinactive parameter in PrintSchedules.php...