LibreNMS /port-groups name Stored Cross-Site Scripting

Summary /port-groups name Stored Cross-Site Scripting - HTTP POST - Request-URIs: "/port-groups" - Vulnerable parameters: "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of t...

CVE-2019-16979

In FusionPBX up to v4.5.7, the file app\contacts\contacturls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS...

CVE-2025-34261

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting XSS vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without...

PT-2025-49282

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting XSS vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without...

CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...

CVE-2025-32015

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside...

CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...

CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...

Allow REL= and HTML in Author Bios <= .1- Author+ Stored Cross-Site Scripting

The plugin does not sanitise the allowed HTML in Bio, allowing user with a role as low as author to perform Cross-Site Scripting attack against users viewing their posts As Author, put a JS payload such as alert/XSS/ in your Biographical Info via your Profile, then access any public posts made by...

Arbitrary Values

go has arbitrary values. The vulnerability exists due to arbitrary values retrieved from DNS which is not sanitized before including in HTML...

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

Cross-site Scripting (XSS)

portal-web is vulnerable to cross-site scripting XSS. The vulnerability exists as the value of category.getName, and message.getSubject, when displaying the html/portlet/messageboards/search.jsp search results, were not sanitized...

CVE-2018-1000095

A stored XSS vulnerability was discovered in ovirt-engine 4.2. Sanitation of HTML elements was not applied correctly to all fields, shows in the management console. An attacker with VM Admin permissions could use this vulnerability to launch XSS attacks against other VM or Cluster administrators...

[BSA-015] Security Update for wordpress

Matt Taggart uploaded new packages for wordpress which fixed the following security problem: Critical core security bug in the HTML sanitation library more info: http://wp.me/pZhYe-qt For the lenny-backports distribution the problems have been fixed in version 3.0.4+dfsg-1bpo50+1. Upgrade...

Design/Logic Flaw

The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remot...

Open Business Management 1.0.3 pl1 - &#039;user_index.php?tf_lastname&#039; Cross-Site Scripting

source: https://www.securityfocus.com/bid/18348/info Open Business Management is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize HTML and script code from user-supplied input to several parameters before returning to the user. An attacker could exploit...