| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. |
| OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  issue in the 'update user' and 'delete user' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator. |
| There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. |
| A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title. |
| Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS. |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks. |
| OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks. |
| Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. |
| Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment. |
| Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php. |
| Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates. |
| Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code. |
| The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object. |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). |
| This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application. |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. |
