| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| XSS exists in DiliCMS 2.4.0 via the admin/index.php/setting/site?tab=site_attachment attachment_type parameter. |
| Virtualmin 6.03 allows XSS via the query string, as demonstrated by the webmin_search.cgi URI. |
| Mediamanager in REDAXO before 5.6.4 has XSS. |
| The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page. The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=[XSS] request. |
| The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}. |
| XSS exists in Waimai Super Cms 20150505 via the fname parameter to the admin.php?m=Food&a=addsave or admin.php?m=Food&a=editsave URI. |
| process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. |
| An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. A reflected XSS vulnerability allows remote attackers to inject arbitrary web script or HTML. |
| A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. |
| Navigate CMS has Stored XSS via the navigate.php Title field in an edit action. |
| XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], or Slide[image_url] parameter. |
| XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter. |
| dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials. |
| spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials. |
| atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials. |
| Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files. |
| Cross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter. |
| LayerBB 1.1.1 allows XSS via the titles of conversations (PMs). |
| A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested. |
| Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter. |
