CVE-2020-12707

An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements...

CVE-2020-12438

An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags...

CVE-2020-12058

Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/orderstatus.php, catalog/admin/taxrates.php, catalog/admin/languages.php,...

CVE-2020-23849

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript...

CVE-2020-10242

An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks...

CVE-2020-10103

An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code can be provided by a low-privileged user through the File Upload functionality in Zammad. The malicious JavaScript will execute within the browser of any user who opens a specially crafted link to the uploaded file with an acti...

CVE-2020-10098

An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code can be provided by a low-privileged user through the Email functionality. The malicious JavaScript will execute within the browser of any user who opens the Ticket with the Article created from that Email...

CVE-2020-10544

An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces 7.0.11. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation...

CVE-2020-24349

njs through 0.4.3, used in NGINX, allows control-flow hijack in njsvalueproperty in njsvalue.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface...

CVE-2024-34241

A cross-site scripting XSS vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications...

CVE-2024-41504

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting XSS. In the "Oportunidades" opportunities section of the application when creating or editing an "Atividade" activity, the form field "Descrico" allows injection of JavaScript...

CVE-2024-41960

mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scrip...

CVE-2024-39332

Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server...

CVE-2024-39772

Mattermost Desktop App versions =5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs...

CVE-2023-25929

IBM Cognos Analytics 11.1 and 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 247861...

CVE-2023-43718

Os Commerce is currently susceptible to a Cross-Site Scripting XSS vulnerability. This vulnerability allows attackers to inject JS through the "MSEARCHENABLETITLE1" parameter, potentially leading to unauthorized execution of scripts within a user's web browser...

CVE-2023-50823

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Wipeout Media CSS & JavaScript Toolbox allows Stored XSS.This issue affects CSS & JavaScript Toolbox: from n/a through 11.7...

CVE-2023-50307

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.9, 6.1.0.0 through 6.1.2.3, and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure...

CVE-2023-50303

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 273333...

CVE-2023-49802

The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin an...