Threat Intelligence

CVE-2023-41447 (v3: 6.1) 28 Sept 2023

Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the subcmd parameter in the index.php component.

CVE-2023-41446 (v3: 6.1) 28 Sept 2023

Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted script to the title parameter in the index.php component.

CVE-2021-43692 (v3: 6.1) 29 Nov 2021

An unspecified version of youtube-php-mirroring is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.

CVE-2021-43697 (v3: 6.1) 29 Nov 2021

An unspecified version of Workerman-ThinkPHP-Redis is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET{C('VAR_JSONP_HANDLER')] then there is a XSS vulnerability.

CVE-2021-43698 (v3: 6.1) 29 Nov 2021

An unspecified version of phpWhois is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is a XSS vulnerability.

CVE-2021-40541 (v3: 6.1) 11 Oct 2021

PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.

CVE-2021-26303 (v3: 6.1) 29 Jan 2021

PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the user-profile.php Full Name field.

CVE-2021-26304 (v3: 6.1) 29 Jan 2021

PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter.

CVE-2020-35132 (v3: 5.4) 11 Dec 2020

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.

CVE-2020-13827 (v3: 6.1) 4 Jun 2020

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

CVE-2020-12718 (v3: 5.4) 8 May 2020

In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.

CVE-2020-12706 (v3: 5.4) 7 May 2020

Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

CVE-2020-12708 (v3: 6.1) 7 May 2020

Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.

CVE-2020-12639 (v3: 6.1) 4 May 2020

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.

CVE-2020-12438 (v3: 5.4) 28 Apr 2020

An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.

CVE-2020-12132 (v3: 6.1) 24 Apr 2020

Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS via a POST request.

CVE-2020-7132 (v3: 5.4) 23 Apr 2020

A potential security vulnerability has been identified in HPE Onboard Administrator. The vulnerability could be remotely exploited to allow Reflected Cross Site Scripting. HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Onboard Administrator. * OA 4.95 (Linux and Windows).

CVE-2020-12054 (v3: 6.1) 23 Apr 2020

The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). Also affected are 16 themes (if the plugin is enabled) by the same author: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.

CVE-2020-5557 (v3: 6.1) 25 Mar 2020

Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2020-10442 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-popular.php by adding a question mark (?) followed by the payload.

CVE-2020-10443 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-printed.php by adding a question mark (?) followed by the payload.

CVE-2020-10444 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-rated.php by adding a question mark (?) followed by the payload.

CVE-2020-10445 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article.php by adding a question mark (?) followed by the payload.

CVE-2020-10446 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-category.php by adding a question mark (?) followed by the payload.

CVE-2020-10447 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-failed-login.php by adding a question mark (?) followed by the payload.

CVE-2020-10448 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-referrers.php by adding a question mark (?) followed by the payload.

CVE-2020-10449 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-search.php by adding a question mark (?) followed by the payload.

CVE-2020-10450 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-traffic.php by adding a question mark (?) followed by the payload.

CVE-2020-10451 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-user.php by adding a question mark (?) followed by the payload.

CVE-2020-10452 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/save-article.php by adding a question mark (?) followed by the payload.

CVE-2020-10453 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/search-users.php by adding a question mark (?) followed by the payload.

CVE-2020-10454 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/sitemap-generator.php by adding a question mark (?) followed by the payload.

CVE-2020-10455 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/translate.php by adding a question mark (?) followed by the payload.

CVE-2020-10456 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/trash-box.php by adding a question mark (?) followed by the payload.

CVE-2020-10461 (v3: 6.1) 12 Mar 2020

The way comments in article.php (vulnerable function in include/functions-article.php) are handled in Chadha PHPKB Standard Multi-Language 9 allows attackers to execute Stored (Blind) XSS (injecting arbitrary web script or HTML) in admin/manage-comments.php, via the GET parameter cmt.

CVE-2020-10462 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-field.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10463 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10464 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-article.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10465 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10466 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10467 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-comment.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10468 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/edit-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p.

CVE-2020-10469 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-departments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10470 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-fields.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10471 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-articles.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10472 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-templates.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10473 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-categories.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10474 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10475 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10476 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10477 (v3: 4.8) 12 Mar 2020

Reflected XSS in admin/manage-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10388 (v3: 6.1) 12 Mar 2020

The way the Referer header in article.php is handled in Chadha PHPKB Standard Multi-Language 9 allows attackers to execute Stored (Blind) XSS (injecting arbitrary web script or HTML) in admin/report-referrers.php (vulnerable file admin/include/functions-articles.php).

CVE-2020-10391 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-article.php by adding a question mark (?) followed by the payload.

CVE-2020-10392 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-category.php by adding a question mark (?) followed by the payload.

CVE-2020-10393 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-field.php by adding a question mark (?) followed by the payload.

CVE-2020-10394 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-glossary.php by adding a question mark (?) followed by the payload.

CVE-2020-10395 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-group.php by adding a question mark (?) followed by the payload.

CVE-2020-10396 (v3: 4.8) 12 Mar 2020

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/add-language.php by adding a question mark (?) followed by the payload.

CVE-2019-11999 (v3: 6.9) 16 Apr 2020

Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates available to resolve the vulnerability in the impacted versions of OCMP. * For OCMP version 4.4.X - please upgrade to OCMP 4.4.8 and then install RP806 * For OCMP 4.5.x please contact HPE Technical Support to obtain the necessary software updates.

CVE-2019-11997 (v3: 6.1) 16 Jan 2020

A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. For other versions, please, contact the product support.

CVE-2019-19908 (v3: 6.1) 20 Dec 2019

phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.

CVE-2019-11992 (v3: 6.1) 18 Dec 2019

A security vulnerability in HPE OneView for VMware vCenter 9.5 could be exploited remotely to allow Cross-Site Scripting.

CVE-2019-11656 (v3: 5.4) 4 Oct 2019

Stored XSS vulnerability in Micro Focus ArcSight Logger, affects versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0. This vulnerability could allow Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

CVE-2019-16703 (v3: 6.1) 23 Sept 2019

admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.

CVE-2019-16704 (v3: 4.8) 23 Sept 2019

admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.

CVE-2019-14470 (v3: 6.1) 4 Sept 2019

cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.

CVE-2019-5403 (v3: 4.8) 9 Aug 2019

A remote multiple cross-site scripting vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

CVE-2019-3486 (v3: 6.1) 25 Jul 2019

Mitigates a stored cross site scripting issue in ArcSight Security Management Center versions prior to 2.9.1

CVE-2019-3485 (v3: 6.1) 24 Jul 2019

Mitigates a stored cross site scripting issue in ArcSight Logger versions prior to 6.7.1

CVE-2019-1010193 (v3: 6.1) 24 Jul 2019

hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS).

CVE-2019-13472 (v3: 6.1) 9 Jul 2019

PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.

CVE-2019-12507 (v3: 6.1) 31 May 2019

An XSS vulnerability exists in PHPRelativePath (aka Relative Path) through 1.0.2 via the RelativePath.Example1.php path parameter.

CVE-2019-9605 (v3: 5.4) 29 Mar 2019

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.

CVE-2019-3480 (v3: 6.1) 25 Mar 2019

Mitigates a stored/reflected XSS issue in ArcSight Logger versions prior to 6.7.

CVE-2019-10027 (v3: 4.8) 25 Mar 2019

PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.

CVE-2019-10010 (v3: 6.1) 24 Mar 2019

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.

CVE-2019-7660 (v3: 6.1) 7 Mar 2019

An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.

CVE-2019-7661 (v3: 6.1) 7 Mar 2019

An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.

CVE-2019-9066 (v3: 5.4) 23 Feb 2019

PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile.

CVE-2019-8435 (v3: 4.8) 18 Feb 2019

admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.

CVE-2019-7402 (v3: 6.1) 5 Feb 2019

An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.

CVE-2019-1000010 (v3: 6.1) 4 Feb 2019

phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4.

CVE-2018-14499 (v3: 6.1) 7 Mar 2019

An issue was found in HYBBS through 2016-03-08. There is an XSS vulnerablity via an article title to post.html.

CVE-2018-20583 (v3: 6.1) 30 Dec 2018

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt).

CVE-2018-20557 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.

CVE-2018-20558 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.

CVE-2018-20559 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.

CVE-2018-20560 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter.

CVE-2018-20561 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter.

CVE-2018-20562 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter.

CVE-2018-20563 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.

CVE-2018-20564 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.

CVE-2018-20565 (v3: 4.8) 28 Dec 2018

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.

CVE-2018-1000860 (v3: 4.7) 20 Dec 2018

phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..

CVE-2018-1000870 (v3: 5.4) 20 Dec 2018

PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4.

CVE-2018-19970 (v3: 6.1) 11 Dec 2018

In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.

CVE-2018-20012 (v3: 4.8) 10 Dec 2018

PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.

CVE-2018-20006 (v3: 6.1) 10 Dec 2018

An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulnerability via the title parameter to api.php?c=post&f=save (reachable via the index.php?id=book URI).

CVE-2018-19785 (v3: 6.1) 1 Dec 2018

PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.

CVE-2018-19547 (v3: 6.1) 26 Nov 2018

JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.

CVE-2018-19340 (v3: 6.1) 17 Nov 2018

Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.

CVE-2018-19186 (v3: 6.1) 14 Nov 2018

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.

CVE-2018-19187 (v3: 6.1) 14 Nov 2018

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.

CVE-2018-19188 (v3: 6.1) 14 Nov 2018

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter.

CVE-2018-19189 (v3: 6.1) 14 Nov 2018

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement.

CVE-2018-19190 (v3: 6.1) 14 Nov 2018

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter.

CVE-2018-17964 (v3: 6.1) 17 Oct 2018

Aryanic HighPortal 12.5 has XSS via an Add Tags action.

CVE-2018-18381 (v3: 5.4) 16 Oct 2018

Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.

CVE-2018-16326 (v3: 6.1) 4 Oct 2018

PHP Scripts Mall Olx Clone 3.4.2 has XSS.

CVE-2018-16456 (v3: 6.1) 4 Oct 2018

PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a keyword. NOTE: This may overlap with CVE-2018-6870 which has XSS via the Listings Search feature.

CVE-2018-6502 (v3: 6.1) 20 Sept 2018

A potential Reflected Cross-Site Scripting (XSS) Security vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Reflected Cross-site Scripting (XSS).

CVE-2018-17130 (v3: 5.4) 17 Sept 2018

PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,

CVE-2018-17082 (v3: 6.1) 16 Sept 2018

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

CVE-2018-16142 (v3: 6.1) 30 Aug 2018

PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function.

CVE-2018-15605 (v3: 6.1) 24 Aug 2018

An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature.

CVE-2018-14869 (v3: 5.4) 6 Aug 2018

PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile.

CVE-2018-7075 (v3: 6.1) 6 Aug 2018

A remote cross-site scripting (XSS) vulnerability was identified in HPE Intelligent Management Center (iMC) PLAT version v7.3 (E0506). The vulnerability is fixed in Intelligent Management Center PLAT 7.3 E0605P04 or subsequent version.

CVE-2018-7090 (v3: 6.1) 6 Aug 2018

HPE XP P9000 Command View Advanced Edition Software (CVAE) has local and remote cross site scripting vulnerability in versions 7.0.0-00 to earlier than 8.60-00 of DevMgr, TSMgr and RepMgr.

CVE-2018-12581 (v3: 6.1) 21 Jun 2018

An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.

CVE-2018-11487 (v3: 6.1) 26 May 2018

PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.

CVE-2018-6492 (v3: 6.1) 22 May 2018

Persistent Cross-Site Scripting, and non-persistent HTML Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability could be remotely exploited to allow persistent cross-site scripting, and non-persistent HTML Injection.

CVE-2018-11208 (v3: 4.8) 16 May 2018

** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege.

CVE-2018-10680 (v3: 6.1) 2 May 2018

** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug."

CVE-2018-10547 (v3: 6.1) 29 Apr 2018

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

CVE-2018-10329 (v3: 6.1) 24 Apr 2018

app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.

CVE-2018-9169 (v3: 4.8) 16 Apr 2018

Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.

CVE-2018-9238 (v3: 6.1) 4 Apr 2018

proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.

CVE-2018-0535 (v3: 6.1) 22 Mar 2018

Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows an attacker to inject arbitrary web script or HTML via unspecified vectors.

CVE-2018-7736 (v3: 6.1) 6 Mar 2018

** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability.

CVE-2018-7260 (v3: 5.4) 21 Feb 2018

Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2018-5712 (v3: 6.1) 16 Jan 2018

An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.

CVE-2017-6216 (v3: 6.1) 3 Jul 2019

novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution

CVE-2017-18364 (v3: 6.1) 27 Mar 2019

phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter.

CVE-2017-8991 (v3: 5.4) 6 Aug 2018

HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.

CVE-2017-9002 (v3: 6.1) 6 Aug 2018

All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser.

CVE-2017-6213 (v3: 5.4) 2 Aug 2018

paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution.

CVE-2017-6215 (v3: 5.4) 2 Aug 2018

paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution.

CVE-2017-15640 (v3: 5.4) 21 Apr 2018

app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.

CVE-2017-5827 (v3: 5.4) 15 Feb 2018

A reflected cross site scripting vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found.

CVE-2017-8953 (v3: 5.4) 15 Feb 2018

A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.

CVE-2017-5798 (v3: 6.1) 15 Feb 2018

A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).

CVE-2017-5800 (v3: 5.4) 15 Feb 2018

A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Bridge Analytics version v3.0 was found.

CVE-2017-18121 (v3: 6.1) 2 Feb 2018

The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.

CVE-2017-2745 (v3: 6.1) 23 Jan 2018

Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to execute scripts in a user's browser.

CVE-2017-2746 (v3: 6.1) 23 Jan 2018

Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to create a denial of service.

CVE-2017-12810 (v3: 6.1) 30 Dec 2017

PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the admin panel.

CVE-2017-12811 (v3: 6.1) 30 Dec 2017

PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.

CVE-2017-12812 (v3: 6.1) 30 Dec 2017

PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations tab.

CVE-2017-12813 (v3: 6.1) 30 Dec 2017

PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.

CVE-2017-17953 (v3: 6.1) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter.

CVE-2017-17954 (v3: 6.1) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter.

CVE-2017-17955 (v3: 6.1) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter.

CVE-2017-17956 (v3: 6.1) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter.

CVE-2017-17958 (v3: 6.1) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid parameter.

CVE-2017-17937 (v3: 6.1) 28 Dec 2017

Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search.

CVE-2017-14359 (v3: 5.4) 3 Nov 2017

A potential security vulnerability has been identified in HPE Performance Center versions 12.20. The vulnerability could be remotely exploited to allow cross-site scripting.

CVE-2017-14357 (v3: 6.1) 31 Oct 2017

A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow Reflected and Stored Cross-Site Scripting (XSS)

CVE-2017-15872 (v3: 4.8) 24 Oct 2017

phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.

CVE-2017-15809 (v3: 6.1) 23 Oct 2017

In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.

CVE-2017-15727 (v3: 5.4) 22 Oct 2017

In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.

CVE-2017-15728 (v3: 4.8) 22 Oct 2017

In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.

CVE-2017-15648 (v3: 6.1) 19 Oct 2017

In PHPSUGAR PHP Melody before 2.7.3, page_manager.php has XSS via the page_title parameter.

CVE-2017-15384 (v3: 6.1) 16 Oct 2017

rate-me.php in Rate Me 1.0 has XSS via the id field in a rate action.

CVE-2017-15305 (v3: 6.1) 15 Oct 2017

XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php.

CVE-2017-14354 (v3: 6.1) 5 Oct 2017

A remote cross-site scripting vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33 could be remotely exploited to allow cross-site scripting.

CVE-2017-12792 (v3: 6.1) 3 Oct 2017

Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.

CVE-2017-13986 (v3: 6.1) 30 Sept 2017

A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows for unintended information when a specific URL is sent to the system.

CVE-2017-14352 (v3: 6.1) 30 Sept 2017

A potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow cross-site scripting.

CVE-2017-14618 (v3: 4.8) 20 Sept 2017

Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.

CVE-2017-14619 (v3: 6.1) 20 Sept 2017

Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.

CVE-2017-14534 (v3: 6.1) 18 Sept 2017

Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to location.php, related to PHP_SELF.

CVE-2017-14347 (v3: 6.1) 12 Sept 2017

NexusPHP 1.5.beta5.20120707 has XSS in the returnto parameter to fun.php in a delete action.

CVE-2017-12906 (v3: 6.1) 7 Sept 2017

Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) cheaters.php or (2) confirm_resend.php.

CVE-2017-14070 (v3: 6.1) 31 Aug 2017

Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to ipsearch.php, related to PHP_SELF.

CVE-2017-12984 (v3: 6.1) 21 Aug 2017

PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.

CVE-2017-12680 (v3: 6.1) 18 Aug 2017

Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type parameter to shoutbox.php.

CVE-2017-12907 (v3: 6.1) 17 Aug 2017

Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the url path to usersearch.php.

CVE-2017-12798 (v3: 6.1) 10 Aug 2017

Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q parameter to searchsuggest.php.

CVE-2017-12777 (v3: 6.1) 9 Aug 2017

Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some parameter to usersearch.php.

CVE-2017-12655 (v3: 6.1) 7 Aug 2017

Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the query parameter to log.php in a dailylog action.

CVE-2017-11651 (v3: 6.1) 26 Jul 2017

NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag.

CVE-2016-4392 (v3: 5.4) 6 Aug 2018

A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1.

CVE-2016-4399 (v3: 5.4) 6 Aug 2018

A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).

CVE-2016-4400 (v3: 5.4) 6 Aug 2018

A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).

CVE-2016-8527 (v3: 6.1) 6 Aug 2018

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.

CVE-2016-9493 (v3: 6.1) 13 Jul 2018

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVE-2016-8517 (v3: 6.1) 15 Feb 2018

A cross site scripting vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was found.

CVE-2016-8522 (v3: 5.4) 15 Feb 2018

A cross-site scripting vulnerability in HPE Diagnostics version 9.24 IP1, 9.26 , 9.26IP1 was found.

CVE-2016-8532 (v3: 5.4) 15 Feb 2018

A cross site scripting vulnerability in HPE Matrix Operating Environment version 7.6 was found.

CVE-2016-10508 (v3: 6.1) 31 Aug 2017

Multiple cross-site scripting (XSS) vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php.

CVE-2016-6607 (v3: 6.1) 11 Dec 2016

XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

CVE-2016-6608 (v3: 6.1) 11 Dec 2016

XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.

CVE-2016-6615 (v3: 6.1) 11 Dec 2016

XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.

CVE-2016-9856 (v3: 6.1) 11 Dec 2016

An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-9857 (v3: 6.1) 11 Dec 2016

An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-4393 (v3: 5.4) 28 Oct 2016

HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.

CVE-2016-4380 (v3: 5.4) 8 Sept 2016

Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVE-2016-4851 (v3: 6.1) 2 Sept 2016

Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat before 2016-08-15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2016-5099 (v3: 6.1) 5 Jul 2016

Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.

CVE-2016-5731 (v3: 6.1) 3 Jul 2016

Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.

CVE-2016-5732 (v3: 6.1) 3 Jul 2016

Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters.

CVE-2016-5733 (v3: 6.1) 3 Jul 2016

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml.

CVE-2016-5704 (v3: 6.1) 3 Jul 2016

Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.

CVE-2016-4363 (v3: 6.1) 8 Jun 2016

HPE Insight Control server deployment allows remote attackers to modify data via unspecified vectors.

CVE-2016-1222 (v3: 6.1) 5 Jun 2016

Cross-site scripting (XSS) vulnerability in Kobe Beauty php-contact-form before 2016-05-18 allows remote attackers to inject arbitrary web script or HTML via a crafted URI.

CVE-2016-2010 (v3: 5.4) 7 May 2016

Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2011.

CVE-2016-2011 (v3: 5.4) 7 May 2016

Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2010.

CVE-2016-2559 (v3: 5.4) 1 Mar 2016

Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.

CVE-2016-2560 (v3: 6.1) 1 Mar 2016

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.

CVE-2016-2561 (v3: 5.4) 1 Mar 2016

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.

CVE-2016-2045 (v3: 5.4) 20 Feb 2016

Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.