| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ecard.php in Coppermine Photo Gallery (CPG) 1.5.46 has XSS via the sender_name, recipient_email, greetings, or recipient_name parameter. |
| GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation. |
| The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php. |
| There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1. |
| blog/index.php in SansCMS 0.7 has XSS via the q parameter. |
| MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page. |
| An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen. |
| An issue was discovered in Creme CRM 1.6.12. The organization creation page is affected by 9 stored cross-site scripting vulnerabilities involving the name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters. |
| An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters. |
| The New Threads plugin before 1.2 for MyBB has XSS. |
| joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_device array parameter. |
| The Website Manager module in SEO Panel 3.13.0 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability, allowing remote authenticated attackers to inject arbitrary web script or HTML via the websites.php name parameter. |
| InstantCMS 2.10.1 has /redirect?url= XSS. |
| In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts. |
| The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product. |
| PHP Scripts Mall JOB SITE (aka Job Portal) 3.0.1 has Cross-site Scripting (XSS) via the search bar. |
| Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. |
| In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. |
| In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. |
| In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. |
