a3 Portfolio < 3.1.1 - Author+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks...

WPBulky < 1.0.10 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly sanitize user input via its sanitize function, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Cross-site Scripting (XSS)

actionpack is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the redirectto functio of redirecting.rb does not properly check the provided URL for illegal characters, resulting in the downstream services which enforce RFC compliance on HTTP response headers to remove the...

CVE-2023-32535

Certain dashboard widgets on Trend Micro Apex Central on-premise are vulnerable to cross-site scripting XSS attacks that may allow an attacker to achieve remote code execution on affected servers. This is similar to, but not identical to CVE-2023-32531 through 32534...

CVE-2023-31408

Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attac...

CVE-2023-31408

Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attac...

CVE-2023-31408

Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attac...

Pretty Url <= 1.5.4 - Admin+ Stored XSS in plugin settings

Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the "Enter the URL: field, add the XSS...

PT-2023-1733 · Microsoft · Dynamics 365

Name of the Vulnerable Software and Affected Versions: Microsoft Dynamics 365 on-premises affected versions not specified Description: The issue is related to insufficient protection of the web page structure in Microsoft Dynamics 365, which can lead to cross-site scripting attacks. An attacker,...

Google Maps v3 Shortcode <= 1.2.1 - Contributor+ XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-1499 · Fortinet · Fortinac

Name of the Vulnerable Software and Affected Versions: FortiNAC versions 9.4.1 and below FortiNAC versions 9.2.6 and below FortiNAC versions 9.1.8 and below FortiNAC versions 8.8.11 and below FortiNAC versions 8.7.6 and below FortiNAC versions 8.6.5 and below FortiNAC versions 8.5.4 and below...

CVE-2022-4833 YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode

The YourChannel: Everything you want in a YouTube plugin WordPress plugin before 1.2.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...

Arigato Autoresponder and Newsletter < 2.7.1.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-4545

The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users...

Cross site scripting

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of...

Fusiondirectory Cross-Site Scripting Vulnerability

FusionDIrectory is a FusionDIrectory open source application. Used to ensure that the user's identity management security. A cross-site scripting vulnerability exists in Fusiondirectory version 1.3. The vulnerability stems from a lack of effective filtering and escaping of user-supplied data, whi...

Cross site scripting

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)

Summary IBM Business Process Manager and IBM Business Automation Workflow are affected by multiple security vulnerabilities found in Swagger UI. Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput functio...

Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Text Block

The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks PoC Create a post using the plugin editor, add a Text Block and put the following payload in its content: The XSS will be triggered whe...

PT-2022-16288 · WordPress · Digital Publications By Supsystic

Name of the Vulnerable Software and Affected Versions: Digital Publications by Supsystic WordPress plugin versions prior to 1.7.4 Description: The issue allows high privilege users, such as admins, to perform cross-Site Scripting attacks due to the lack of sanitization and escaping of its setting...