CVE-2020-15178

In PrestaShop contactform module prestashop/contactform before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser...

PT-2023-17261 · WordPress · Wp Inventory Manager

Name of the Vulnerable Software and Affected Versions: WP Inventory Manager versions prior to 2.1.0.12 Description: The issue concerns a Reflected Cross-Site Scripting problem. It arises because the message parameter is not properly sanitised and escaped before being outputted back in the page...

CVE-2020-36599

lib/omniauth/failureendpoint.rb in OmniAuth before 1.9.2 and before 2.0 does not escape the messagekey value...

Unescaped message used in HTML within LogEventsList

More info at https://phabricator.wikimedia.org/T256171...

Unescaped message used in HTML on Special:Contributions

More info at https://phabricator.wikimedia.org/T255918...